Processor for encrypting and/or decrypting data and method of encrypting and/or decrypting data using such a processor

ABSTRACT

A control device is connected to at least one encryption/decryption device via at least one communication device. The control device is connected to a round key generator via at least one further communication device. The control device has at least one external key input, the at least one encryption/decryption device has at least one external data input and at least one external data output, and the at least one encryption/decryption device and the round key generator are decoupled from one another.

The invention relates to a processor for encrypting and/or decryptingdata and to a method of encrypting and/or decrypting data using such aprocessor having the features mentioned in the preambles of claims 1 and11.

The Rijndael algorithm, which has been selected by the American NationalInstitute of Standards and Technology (NIST) as the Advanced EncryptionStandard (AES), consists of two main blocks: the key scheduling blockfor calculating the key for the individual encryption roundingoperations and the actual encryption and decryption block. Up to nowthere have been two types of AES coprocessor. Either all rounding keysare calculated prior to encryption/decryption (precalculation), wherebylarge storage areas are required to store the rounding keys, or else therounding keys are calculated prior to each encryption roundingoperation, as a result of which it is known at which point in time arounding key is calculated and hence an attack on key generation iseasier. Since a recursive algorithm is used in key generation, arelatively large storage area is required in this case too.

It is an object of the invention to provide a processor for encryptingand/or decrypting data and a method of encrypting and/or decrypting datausing such a processor which are characterized by a lower storagerequirement and greater safety against attacks on the rounding keygeneration than previously known. In particular, it is an object of theinvention to provide an AES coprocessor and a method of AES calculationhaving said properties.

This object is achieved according to the invention by a processor havingthe features mentioned in claim 1 and a method of encrypting and/ordecrypting data having the features mentioned in claim 11. The processoraccording to the invention is characterized in that a control device isconnected to at least one encryption/decryption means via at least onecommunication means, the control device is connected to at least onerounding key generation means via at least one further communicationmeans, the control device has at least one external key input, the atleast one encryption/decryption means has at least one external datainput and at least one external data output, and the at least oneencryption/decryption means and the at least one rounding key generationmeans are decoupled from one another. There is thus neither a directdata path between the at least one encryption/decryption means and theat least one rounding key generation means nor a direct connection ofthe at least one rounding key generation means to the outside world.Access to the at least one rounding key generation means can thus takeplace only by means of sequence control or the at least oneencryption/decryption means. Increased safety against attacks onrounding key generation combined with a small necessary storage area,which is used only to accommodate data that are temporarily needed forthe recursive key calculation, are thereby achieved.

In one preferred refinement of the invention it is provided that the atleast one communication means comprises at least one request line, atleast one release line and at least one data line and/or the at leastone further communication means comprises at least one further requestline, at least one further release line and at least one further dataline. Particularly favorable properties are thereby advantageouslyachieved, as a result of which the processor according to the inventionis suitable for implementing a wide range of control algorithms in asimple manner.

Furthermore, in one preferred refinement of the invention it is providedthat the at least one request line, the at least one release line andthe at least one data line and/or the at least one farther request line,the at least one further release line and the at least one further dataline at least partially use the same line physics. In this way, aminimization of the required installation space and thus increasedeconomy are advantageously achieved.

Moreover, in one preferred refinement of the invention it is providedthat the control device comprises at least one storage means in which atleast one rounding key generated by the at least one rounding keygeneration means can be temporarily stored. The necessary storage areais thus small and depends only on the depth of recursion. In this way,the required installation space is minimized, resulting in increasedeconomy.

Furthermore, in one preferred refinement of the invention it is providedthat at least one rotating pointer is provided for access to the atleast one storage means. Storage areas that have already been read canthus be released in a simple manner for writing with new rounding keys,since by virtue of the pointer no areas which have not yet been read arewritten to and only areas which have been written to with valid keywordsare read. As a result, the required storage area can be kept small.

Moreover, in one preferred refinement of the invention it is providedthat at least one handshake protocol is provided for communication ofthe control device with the at least one encryption/decryption meansand/or with the at least one rounding key generation means. A temporaryinactivity of encryption/decryption means and/or rounding key generationmeans is thereby obtained, as a result of which attacks on keygeneration are made more difficult.

Furthermore, in one preferred refinement of the invention it is providedthat the modes of operation of the control device, of the at least oneencryption/decryption means and of the at least one rounding keygeneration means are asynchronous with respect to one another. As aresult, attacks on key generation are made more difficult.

In one preferred refinement of the invention it is moreover providedthat at least one dummy calculation and/or at least part of at least oneprevious rounding key calculation can be carried out by means of the atleast one rounding key generation means during at least one inactivephase. This gives additional protection against attacks on keygeneration.

In addition, in one preferred refinement of the invention it is providedthat the time between calculation and use of the at least one roundingkey is variable. Attacks on the calculation of the rounding key arethereby advantageously made more difficult.

Preferably the processor according to the invention for encryptingand/or decrypting data is embodied so as to be an AES coprocessor andused as such.

The method of encrypting and/or decrypting data according to theinvention using a processor according to the invention is characterizedin that

a) at least one initial key is read into a control device,

b) external data are read into at least one encryption/decryption means,

c) at least one data word needed to calculate at least one rounding keyis read from at least one storage means of the control device andtransferred to at least one rounding key generation means,

d) at least one rounding key is calculated recursively on the basis ofthe at least one data word by means of the at least one rounding keygeneration means, transferred to the control device and stored in the atleast one storage means,

e) the at least one rounding key is transferred to the at least oneencryption/decryption means,

f) the external data are encrypted or decrypted by means of the at leastone encryption/decryption means using the at least one rounding key andthe encrypted or decrypted data are made available at least one externaldata output, and

g) steps b) to f) are repeated as often as necessary to encrypt ordecrypt a set of external data.

There is thus neither a direct data path between the at least oneencryption/decryption means and the at least one rounding key generationmeans nor a direct connection of the at least one rounding keygeneration means to the outside world. Access to the at least onerounding key generation means thus takes place only by means of sequencecontrol or the at least one encryption/decryption means. Increasedsafety against attacks on rounding key generation combined with a smallnecessary storage area, which is used only to accommodate data that aretemporarily needed for the recursive key calculation, are therebyachieved.

Within the context of the method according to the invention it ispreferably provided that the communication of the control device withthe at least one encryption/decryption means and/or the at least onerounding key generation means takes place by means of at least onehandshake protocol. A temporary inactivity of encryption/decryptionmeans and/or rounding key generation means is thereby obtained, as aresult of which attacks on key generation are made more difficult.

Furthermore, within the context of the method according to the inventionit is preferably provided that the communication of the control devicewith the at least one encryption/decryption means and the at least onerounding key generation means takes place asynchronously. As a result,attacks on key generation are made more difficult.

Moreover, within the context of the method according to the invention itis preferably provided that access to the at least one storage meanstakes place by means of at least one rotating pointer. Storage areasthat have already been read can thus be released in a simple manner forwriting with new rounding keys, since by virtue of the pointer no areaswhich have not yet been read are written to and only areas which havebeen written to with valid keywords are read. As a result, the requiredstorage area can be kept small.

Furthermore, within the context of the method according to the inventionit is preferably provided that at least one dummy calculation and/or atleast part of at least one previous rounding key calculation is carriedout by means of the at least one rounding key generation means during atleast one inactive phase. This gives additional protection againstattacks on key generation.

In addition, within the context of the method according to the inventionit is preferably provided that the time between calculation and use ofthe at least one rounding key is variable. Attacks on the calculation ofthe rounding key are thereby advantageously made more difficult.

Finally, the method of encrypting and/or decrypting data according tothe invention can preferably be embodied and used as a method of AEScalculation using a processor according to the invention which isembodied so as to be an AES coprocessor and used as such.

Further preferred refinements of the invention emerge from the otherfeatures mentioned in the dependent claims.

The invention will be further described with reference to an example ofembodiment shown in the drawing to which, however, the invention is notrestricted.

The FIGURE shows an AES coprocessor.

The FIGURE shows a block diagram of one embodiment of an AES coprocessor10 according to the invention. The AES coprocessor 10 comprises acontrol device 12, an encryption/decryption means 14 and a rounding keygeneration means 18, wherein the control device 12 is connected to theencryption/decryption means 14 via a communication means 16 and to therounding key generation means 18 via a further communication means 20.The communication means 16 and the further communication means 20 eachhave a request line and a release line and also a data line fortransmitting the rounding keys, the rounding key generation means 18being connected to the control device 12 via an additional data line fortransmitting intermediate results for the recursive calculation of therounding keys. The control device 12 comprises a storage means 28 fortemporarily accommodating an initial key, introduced into the controldevice via an external key input 22, rounding keys and also intermediateresults of the recursion. No rounding keys can be stored in theencryption/decryption means 14 or the rounding key generation means 18.The blocks—encryption/decryption means 14, control device 12 androunding key generation means 18—which operate asynchronously withrespect to one another, communicate by means of a handshake protocol,there being no direct data connection between encryption/decryptionmeans 14 and rounding key generation means 18. At the start of an AEScalculation, all three blocks are started in parallel. External data areread into the encryption/decryption means 14 via an external data input24, and the initial key is read into the control device 12 via anexternal key input 22. The encryption/decryption means 14 and therounding key generation means 18 both transmit a request to the controldevice 12, indicating that input data are required, and wait until thisrequest is met. In respect of the first encryption/decryption roundingoperation, the rounding key generation means 18 has priority, that is tosay that the data words needed for the recursive algorithm are read fromthe storage means 28. The priority may be changed for the furtherrounding operations. Once a keyword has been calculated, the request towrite this data word to the storage means 28 is transmitted to thecontrol device 12. The rounding key generation means 18 waits until thisrequest has been met. The actual rounding key is then transmitted to theencryption/decryption means 14, and the external data are encrypted ordecrypted in the encryption/decryption means 14 and made available at anexternal data output 26. In order to keep the required storage areasmall and make a saving in terms of silicon area, the method is carriedout with rotating pointers which release areas that have already beenread in order that further rounding keys may be written to them. Byvirtue of the means according to the invention, a lower storagerequirement and greater safety against attacks on rounding keygeneration than previously known are achieved.

LIST OF REFERENCES

-   -   10 AES coprocessor    -   12 control device    -   14 encryption/decryption means    -   16 communication means    -   18 rounding key generation means    -   20 further communication means    -   22 external key input    -   24 external data input    -   26 external data output    -   28 storage means

1. A processor that performs an encryption/decryption operation, theprocessor comprising: a control device that receives at least oneinitial key, the control device comprising: a memory that temporarilystores the at least one initial key, and at least one external key inputthat receives the at least one initial key from a source; a round keygenerator connected to the control device via at least one communicationdevice, wherein the round key generator receives the at least oneinitial key from the control device to calculate at least one round keyand transfers the at least one round key to the memory of the controldevice; at least one encryption/decryption device comprising: at leastone external data input that receives external data, an input thatreceives the at least one round key from the memory of the controldevice, and at least one external data output that outputs the externaldata encrypted or decrypted with the at least one round key by the atleast one encryption/decryption device, wherein the at least oneencryption/decryption device and the round key generator communicatesolely via the control device, and the control device transmitsintermediate results to the round key generator to perform recursivecalculation of the at least one round key; a first request line thatsends requests from the at least one encryption/decryption device to thecontrol device; and a second request line that sends requests from theround key generator to the control device, wherein the at least oneencryption/decryption device and the round key generator both transmitrequests on the respective first and second request lines to start theencryption/decryption operation after both requests are met, wherein theencryption/decryption operation is repeated as often as necessary,except for receiving the at least one initial key by the control device,to encrypt or decrypt a set of external data.
 2. The processor of claim1, wherein the at least one communication device further comprises:first and second release lines; and first and second data lines.
 3. Theprocessor of claim 2, wherein the first and second request lines, thefirst and second release lines, and the second data lines at leastpartially use a single physical path.
 4. The processor of claim 1,wherein the at least one round key is temporarily stored in the memoryof the control device.
 5. The processor of claim 1, wherein the at leastone round key is accessed using a rotating pointer.
 6. The processor ofclaim 1, wherein the communication between the control device and the atleast one encryption/decryption device and between the control deviceand the round key generator is accomplished using at least one handshakeprotocol.
 7. The processor of claim 1, wherein the operation of the ofthe control device, of the at least one encryption/decryption device,and of the round key generator are asynchronous with respect to oneanother.
 8. The processor of claim 1, wherein the round key generatorperforms a dummy operation.
 9. The processor of claim 1, wherein a timebetween the calculating of the at least one round key by the round keygenerator and the processing of the external data using the at least oneround key is variable.
 10. The processor of claim 1, wherein theprocessor is an Advanced Encryption Standard (AES) coprocessor.
 11. Amethod of performing an encryption/decryption operation using aprocessor, the method comprising: sending a first request on a firstrequest line from at least one encryption/decryption device to a controldevice and a second request on a second request line from a round keygenerator to the control device to start the encryption/decryptionoperation after both requests are met, wherein the at least oneencryption/decryption device and the round key generator communicatesolely via the control device; reading at least one initial key into thecontrol device, wherein the at least one initial key is obtained from asource other than the round key generator; reading external data intothe at least one encryption/decryption device; reading at least one dataword needed to calculate at least one round key from at least onestorage device of the control device; transferring the at least one dataword to the round key generator; calculating at least one round keyrecursively on the basis of the at least one data word by using theround key generator; transferring the at least one round key to thecontrol device; storing the at least one round key in the at least onestorage device; transferring the at least one round key from the atleast one storage device to the at least one encryption/decryptiondevice; encrypting or decrypting the external data by using the at leastone encryption/decryption device, using the at least one round key, andthe encrypted or decrypted external data are made available to at leastone external data output; and repeating the method as often asnecessary, except for reading the at least one initial key into thecontrol device, to encrypt or decrypt a set of external data, whereinthe control device transmits intermediate results to the round keygenerator to perform recursive calculation of the at least one roundkey.
 12. The method of claim 11, wherein communication between thecontrol device and the at least one encryption/decryption device, andbetween the control device and the round key generator is accomplishedusing at least one handshake protocol.
 13. The method of claim 11,wherein the operation of the control device, of the at least oneencryption/decryption device, and of the round key generator areasynchronous with respect to one another.
 14. The method of claim 11,wherein the at least one round key is accessed using a rotating pointer.15. The method of claim 11, further comprising: performing a dummyoperation using the round key generator.
 16. The method of claim 11,wherein a time between the calculating of the at least one round key bythe round key generator and the processing of the external data usingthe at least one round key is variable.
 17. The method of claim 11,wherein the processor is an Advanced Encryption Standard (AES)coprocessor.